When designing a tablet-based app that needs it's own extra security, there seems to be a couple of common choices: add a password screen with a keyboard, or use a passcode screen that has a keypad.

Currently we're requiring a six-digit passcode and using a keypad. The thinking is, this is a good compromise between security (six digits is more secure than 4, but less than a longer passphrase) and convenience (tapping on a numberpad is easier and quicker than a keyboard). Since we will be locking the app whenever the user switches to something else, the user will potentially be unlocking the app multiple times during the course of a session.

Are there any studies that illustrate the relative effectiveness of each approach? For example, will most people just choose their normal 4 digit pin and repeat the first or last two digits, thereby making the passcode less secure? Is the advantage of easily tapping on a keypad worth the security tradeoff? If we allow only a four digit passcode (which was requested by our CEO), will most users end up using the same passcode they use for the device, making this extra security completely worthless?

Bottom line, I'm looking for the sweet spot for making an app more secure while not completely crippling the user with difficult security measures.

2 Answers
2

A passcode's security doesn't come primarily by the crypto strength of the code, but more from the limited number of tries that someone has. This is made even stronger when the passcode is only usable if someone has the physical device in their hands. (Requiring both a known passcode and physical access to a device is an instance of two-factor authentication.)

The same basic security rules apply to many bank accounts, where you usually need a 4-6 digit code, and the bank card to access the account - and you only have 3 tries before it is blocked.

You could make the passcode into a passphrase, but you aren't going to significantly increase security while you will hurt usability. Overall it's a balancing act where you have to consider the consequences of someone gaining access to the application, as well as the likelihood of it happening.

I haven't found any studies on this yet. However you can make the comparison to a bank account when discussing it and consider whether you believe that level of security is acceptable for your application.

I can't cite studies, but in my experience: the only way to be sure that users will use sufficiently-secure passcodes is to choose them yourself.

I have seen remarkable resilience and creativity in generating insecure passwords in the face of IT security requirements. Adding numbers to the end, to the front, doubling certain letters, physical patterns on keyboards; users will always take the laziest route possible.

In your case: you can pretty much guarantee that six-digit passcodes will resemble the four-digit device ones. You can definitely guarantee that four-digit passcodes will be copied from the four-digit device ones.

So either:

Accept that user-generated passcodes are going to be sub-optimally secure.